diff --git a/Dockerfile b/Dockerfile index ba56340..07095f7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,12 @@ RUN apt-get update RUN apt-get install -y nginx RUN echo "daemon off;" >> /etc/nginx/nginx.conf +RUN mkdir /etc/nginx/ssl +WORKDIR /etc/nginx/ssl +RUN openssl genrsa -out server.key 2048 +RUN openssl req -new -batch -key server.key -out server.csr +RUN openssl x509 -req -days 10000 -in server.csr -signkey server.key -out server.crt + RUN mkdir /app WORKDIR /app ADD . /app diff --git a/README.md b/README.md index c4fbb13..1c0c3d7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generate reverse proxy configs for nginx and reloads nginx when containers they are started and stopped. +nginx-proxy sets up a container running nginx and [docker-gen][1]. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped. See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use this. @@ -6,7 +6,7 @@ See [Automated Nginx Reverse Proxy for Docker][2] for why you might want to use To run it: - $ docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock -t jwilder/nginx-proxy + $ docker run -d -p 80:80 -p 443:443 -v /var/run/docker.sock:/tmp/docker.sock -t jwilder/nginx-proxy Then start any containers you want proxied with an env var VIRTUAL_HOST=subdomain.youdomain.com @@ -18,5 +18,15 @@ Provided your DNS is setup to forward foo.bar.com to the a host running nginx-pr If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected. +### SSL Support + +You can enable SSL by setting VIRTUAL_SSL_HOST on your container: + + $ docker run -e VIRTUAL_HOST=foo.bar.com -e VIRTUAL_SSL_HOST=foo.bar.com -t ... + +VIRTUAL_SSL_PORT can also be set on your container to override the default port, 443. + +Self signed certs are generated on docker build, please replace them with your own for production use. + [1]: https://github.com/jwilder/docker-gen [2]: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/ diff --git a/nginx.tmpl b/nginx.tmpl index 1d62622..3d51e0e 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -33,7 +33,7 @@ upstream {{ $host }} { server {{ $address.IP }}:{{ $address.Port }}; {{ end }} {{ end }} - {{ end }} + {{ end }} {{ end }} } @@ -53,3 +53,46 @@ server { } } {{ end }} + +{{ range $host, $containers := groupBy $ "Env.VIRTUAL_SSL_HOST" }} +upstream ssl-{{ $host }} { + +{{ range $index, $value := $containers }} + {{ if $value.Env.VIRTUAL_SSL_PORT }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port $value.Env.VIRTUAL_SSL_PORT }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{end}} + {{end}} + {{ else }} + {{ range $i, $address := $value.Addresses }} + {{ if eq $address.Port "443" }} + # {{$value.Name}} + server {{ $address.IP }}:{{ $address.Port }}; + {{ end }} + {{ end }} + {{ end }} +{{ end }} +} + +server { + listen 443 ssl; + + server_name {{ $host }}; + proxy_buffering off; + + location / { + proxy_pass https://ssl-{{ $host }}; + include /etc/nginx/proxy_params; + } +} +{{ end }} + +{{/* Should consider retrieving proper certs from a remote server, keyed by $VIRTUAL_SSL_HOST */}} +ssl_certificate /etc/nginx/ssl/server.crt; +ssl_certificate_key /etc/nginx/ssl/server.key; +ssl_session_timeout 5m; +ssl_protocols SSLv3 TLSv1; +ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP; +ssl_prefer_server_ciphers on;